diff --git a/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2 b/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2
index 791c38756..3bc1dedb6 100644
--- a/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2
+++ b/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2
@@ -46,26 +46,31 @@ test_net_eth_vlan_rules:
   - from: 192.168.35.0/24
     table: kayobe-test-route-table
 {% endif %}
+test_net_eth_vlan_zone: test-zone1
 
 # br0: bridge with ports dummy3, dummy4.
 test_net_bridge_cidr: 192.168.36.0/24
 test_net_bridge_interface: br0
 test_net_bridge_bridge_ports: [dummy3, dummy4]
+test_net_bridge_zone: test-zone2
 
 # br0.43: VLAN subinterface of br0.
 test_net_bridge_vlan_cidr: 192.168.37.0/24
 test_net_bridge_vlan_interface: "{% raw %}{{ test_net_bridge_interface }}.{{ test_net_bridge_vlan_vlan }}{% endraw %}"
 test_net_bridge_vlan_vlan: 43
+test_net_bridge_vlan_zone: test-zone3
 
 # bond0: bond with slaves dummy5, dummy6.
 test_net_bond_cidr: 192.168.38.0/24
 test_net_bond_interface: bond0
 test_net_bond_bond_slaves: [dummy5, dummy6]
+test_net_bond_zone: test-zone3
 
 # bond0.44: VLAN subinterface of bond0.
 test_net_bond_vlan_cidr: 192.168.39.0/24
 test_net_bond_vlan_interface: "{% raw %}{{ test_net_bond_interface }}.{{ test_net_bond_vlan_vlan }}{% endraw %}"
 test_net_bond_vlan_vlan: 44
+test_net_bond_vlan_zone: public
 
 # Define a software RAID device consisting of two loopback devices.
 controller_mdadm_arrays:
@@ -130,3 +135,21 @@ chrony_ntp_servers:
     options:
       - option: maxsources
         val: 2
+
+# Enable firewalld (CentOS only).
+controller_firewalld_enabled: true
+controller_firewalld_zones:
+  - zone: test-zone1
+  - zone: test-zone2
+  - zone: test-zone3
+controller_firewalld_default_zone:
+controller_firewalld_rules:
+  - port: 8080/tcp
+    zone: test-zone1
+  - service: http
+    zone: test-zone2
+  - icmp_block: echo-request
+    zone: test-zone3
+  - service: cockpit
+    state: disabled
+    zone: public
diff --git a/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py b/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py
index 14084ccf7..9b535cd16 100644
--- a/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py
+++ b/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py
@@ -5,11 +5,17 @@
 
 import ipaddress
 import os
+import time
 
 import distro
 import pytest
 
 
+def _is_firewalld_supported():
+    info = distro.linux_distribution()
+    return info[0].startswith('CentOS')
+
+
 def _is_dnf():
     info = distro.linux_distribution()
     return info[0].startswith('CentOS')
@@ -204,3 +210,75 @@ def test_dnf_automatic(host):
 def test_tuned_profile_is_active(host):
     tuned_output = host.check_output("tuned-adm active")
     assert "throughput-performance" in tuned_output
+
+
+@pytest.mark.skipif(not _is_firewalld_supported(),
+                    reason="Firewalld only supported on CentOS")
+def test_firewalld_running(host):
+    assert host.package("firewalld").is_installed
+    assert host.service("firewalld.service").is_enabled
+    assert host.service("firewalld.service").is_running
+
+
+@pytest.mark.skipif(not _is_firewalld_supported(),
+                    reason="Firewalld only supported on CentOS")
+def test_firewalld_zones(host):
+    # Verify that interfaces are on correct zones.
+    expected_zones = {
+        'dummy2.42': 'test-zone1',
+        'br0': 'test-zone2',
+        'br0.43': 'test-zone3',
+        'bond0': 'test-zone3',
+        'bond0.44': 'public'
+    }
+    for interface, expected_zone in expected_zones.items():
+        with host.sudo():
+            zone = host.check_output(
+                "firewall-cmd --get-zone-of-interface %s", interface)
+            assert zone == expected_zone
+
+            zone = host.check_output(
+                "firewall-cmd --permanent --get-zone-of-interface %s",
+                interface)
+            assert zone == expected_zone
+
+
+@pytest.mark.skipif(not _is_firewalld_supported(),
+                    reason="Firewalld only supported on CentOS")
+def test_firewalld_rules(host):
+    # Verify that expected rules are present.
+    expected_info = {
+        'test-zone1': [
+            '  services: ',
+            '  ports: 8080/tcp',
+            '  icmp-blocks: ',
+        ],
+        'test-zone2': [
+            '  services: http',
+            '  ports: ',
+            '  icmp-blocks: ',
+        ],
+        'test-zone3': [
+            '  services: ',
+            '  ports: ',
+            '  icmp-blocks: echo-request',
+        ],
+        'public': [
+            '  services: dhcpv6-client ssh',
+            '  ports: ',
+            '  icmp-blocks: ',
+        ],
+    }
+
+    for zone, expected_lines in expected_info.items():
+        with host.sudo():
+            info = host.check_output(
+                "firewall-cmd --info-zone %s", zone)
+            info = info.splitlines()
+            perm_info = host.check_output(
+                "firewall-cmd --permanent --info-zone %s", zone)
+            perm_info = perm_info.splitlines()
+
+        for expected_line in expected_lines:
+            assert expected_line in info
+            assert expected_line in perm_info